1. Field of the Invention
The present invention relates generally to a computer implemented method, data processing system, and computer program product for controlling access to data processing system resources. More specifically, the present invention relates to permitting a user to grant privileges to a child user, but limiting those privileges to avoid a child removing privileges of the user.
2. Description of the Related Art
Modern computers and networks of computers may provide multiple levels and gradations of authority for users to use within the computer or network. An authorization is a key that enables a function for use by a user within a data processing system. The authorization may be grouped with other authorizations to form, collectively, a role. A role is one or more authorizations in combination. Authorization may be assigned from one user to a second user. Depending on the data processing system, an authorization may be assigned to a user by assigning a role to the user, where the role includes the authorization. Thus, for a group of users, as related to a specific function, some users may be authorized to use the function, and some users may not be authorized to use the function. The first group of users are said to be assigned an authorization corresponding to the function.
Users of the computer are created in a hierarchy. A first user can create a second user. A parent-child relationship is a relative term that indicates that between a first user and a second user, one user directly created the second user. In this example, the first user is the parent user of the second user.
Examples of some authorizations that may be assigned to a user include an authorization “aix.security.user.remove” to use “rmuser”, an AIX® command to remove a user specified on the command line. AIX® is a trademark of International Business Machines Corporation in the United States, other countries or both. A second example is an authorization “aix.security.user.change” to use “chuser” an AIX® command to change attributes of a user specified on the command line. One of the attributes of the user is the roles assigned to the user. The command “chuser” is used to remove roles from a user or add roles to a user. Since a role is a collection of authorizations, removing a role from a user through “chuser” command actually removes one or more authorizations from the user.
Some challenging aspects to granting authorization to a user revolve around preserving the authorizations of the parent user of the user receiving the assigned authorizations. For example, in conventional systems, a user, for example, named user-B, creates a child user, named, for example, user-C. User-B also assigns authorizations to user-C to access the commands “rmuser” and “chuser”, the command to remove users and the command to change user attributes, respectively. Such an arrangement can permit user-C to stage a coup of sorts. For example, user-C may execute “rmuser user-B,” effectively eliminating the user account and authority of user-B. Another anomalous power of user-C is the ability to establish a permanent appointment by diminishing the roles (or authorizations indirectly) of user-B. For example, assume that user-B has two roles R1 and R2 associated with “aix.fs.create” and “aix.fs.remove”, respectively. Aix.fs.create authorizes creating file systems, using, for example, a command “mkfs.” Aix.fs.remove authorizes removing file systems, for example, using the command, “rmfs.” User-C may execute “chuser roles=−R2 user-B”, effectively removing role R2 from user-B. Breaking the association of user-B to role R2 disables user-B from removing any file systems. Consequently, user-B cannot execute rmfs command. The data processing system blocks user-B access to rmfs by removing “aix.fs.remove” from user-B. Moreover, if user-C has been given authorization to create further users, each of these users might be assigned similar authorizations such that these users could similarly remove authorization of the ancestors to such users, for example, user-B.
When a set of authorizations are grouped together to form a named role it can be helpful to exclude, on an authorization-by-authorization basis, one or more authorizations. This exclusion can be helpful in instances where a worker is temporarily assigned a task within the data processing system. It could be burdensome to assign a role for such an ad hoc arrangement.
Thus, a role having certain authorizations masked out could achieve some benefits. In addition, a need exists to provide a user with a mechanism to exclude descendant users from applying authorizations against the user.